-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Created 2020-09-21-IOCs-for-Dridex-infection.txt
- Loading branch information
1 parent
717d1c6
commit e4709c4
Showing
1 changed file
with
65 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,65 @@ | ||
| 2020-09-21 - INFECTION FROM DRIDEX MALSPAM | ||
|
|
||
| REFERENCE: | ||
|
|
||
| - https://twitter.com/Unit42_Intel/status/1308153302513745920 | ||
|
|
||
| EMAIL HEADER DATA: | ||
|
|
||
| - Received: from [91.81.229.185] (unknown [91.81.229.185]) by [removed]; Mon, 21 Sep 2020 14:25:24 +0200 (CEST) | ||
| - Received: from [1.124.14.21] (helo=FAWADUM.esa4.dhl-out.iphmx.com) by [removed] (envelope-from | ||
| [email protected]) [removed]; Mon, 21 Sep 2020 13:25:24 +0100 | ||
| - Date: Mon, 21 Sep 2020 13:25:24 +0100 | ||
| - From: BillingOnline <[email protected]> | ||
| - Subject: FedEx Billing Online - Invoice Ready for Payment | ||
|
|
||
| ONE OF AT LEAST 10 URLS GENERATED BY EXCEL MACRO: | ||
|
|
||
| - hxxps://cdn.applimmo[.]com/wxmn5b.pdf | ||
| - hxxps://mazimimarlik[.]com/ow1oorywn.pdf | ||
| - hxxps://lamesuspendue.swayb[.]com/pxxnmie14.zip | ||
| - hxxps://laptopsservicecenter[.]in/s3k9ebe2.pdf | ||
| - hxxps://mail.168vitheyrealestate[.]com/k5hkyj0.zip | ||
| - hxxps://retrodays[.]pt/lhtzu8p.zip | ||
| - hxxps://skybeetravels.cheapflightso[.]co[.]uk/py198k.pdf | ||
| - hxxps://starsignsdates[.]com/hurxlu8.pdf | ||
| - hxxps://stepco[.]ro/wij87mvg.txt | ||
| - hxxps://update.cabinetulieru[.]ro/thhqpn.txt | ||
|
|
||
| DRIDEX POST-INFECTION HTTPS TRAFFIC | ||
|
|
||
| - 51.75.24[.]85 port 443 | ||
| - 109.169.24[.]37 port 453 | ||
|
|
||
| ASSOCIATED MALWARE: | ||
|
|
||
| - SHA256 hash: 3259221b5378b9c9a983ae265527662c0c7856f6664a9a734754f549ee4d7a33 | ||
| - File size: 28,618 bytes | ||
| - File name: 5-107-26477.xlsm | ||
| - File description: Excel spreadsheet with macro for Dridex | ||
|
|
||
| - SHA256 hash: 5b4337f9ae1d91113c91abd0da39794d8aa216b149562440de541ca99618840d | ||
| - File size: 331,776 bytes | ||
| - File location: xxps://cdn.applimmo[.]com/wxmn5b.pdf | ||
| - File location: C:\XMjrcrYY\WZzAVF\XkZVNh | ||
| - Run method: regsvr32.exe /s [file name] | ||
| - File description: DLL installer retrieved by Excel macro for Dridex | ||
| - Note: Random characters for directory path and file name each infection | ||
|
|
||
| - SHA256 hash: 55067d633bef8350b5de24e3e9f153fc4a6765af0af168fb444a6329c701b10a | ||
| - File size: 1,017,344 bytes | ||
| - File location: C:\Users\[username]\AppData\Roaming\Microsoft\Templates\LiveContent\bGGj9sX\MFC42u.DLL | ||
| - File description: Dridex malware DLL | ||
| - Note: Run by copy of legitimate system file DevicePairingWizard.exe in the same directory | ||
|
|
||
| - SHA256 hash: 8a7cc23e3b7af9ebd2d1dd3791bb62bd1da1efd3d2c480fa51483552520abd0a | ||
| - File size: 1,012,224 bytes | ||
| - File location: C:\Users\[username]\AppData\Roaming\Sun\0umgO\WTSAPI32.dll | ||
| - File description: Dridex malware DLL | ||
| - Note: Run by copy of legitimate system file rdpclip.exe in the same directory | ||
|
|
||
| - SHA256 hash: eb3c152be59903d29cf02100ed2f9edea183a37882a68ae5655bcbc9004775d8 | ||
| - File size: 1,009,664 bytes | ||
| - File location: C:\Users\[username]\AppData\Roaming\Thunderbird\Profiles\1ovarfyl.default-release\ImapMail\.outlook.com\yFYLx\XmlLite.dll | ||
| - File description: Dridex malware DLL | ||
| - Note: Run by copy of legitimate system file sppsvc.exe in the same directory |